- Identify IT risks
- Assess the implications of those risks
- Put in place systems to limit the potential damage
- Are our firewalls secure and fit for purpose?
- Are our security settings the right ones?
- Who can access what data?
- Is our malware and virus protection adequate?
- What arrangements are there for keeping devices/software up to date?